What is CVE-2025-29927?

A vulnerability in Next.js middleware allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header, granting unauthorized access to protected routes.

How do I fix CVE-2025-29927?

Upgrade Next.js immediately to 15.2.3+, 14.2.25+, 13.5.9+, or 12.3.5+. Block x-middleware-subrequest header at CDN/reverse proxy level. Move critical authorization checks from middleware into route handlers/server components. Audit all middleware.ts files for security-critical authorization logic. Deploy Cloudflare WAF rule or equivalent to block the header manipulation. Rotate session tokens and audit access logs for potential exploitation.

criticalCVSS 9.1/10·Published: 2025-03-21·Next.js

How to fix CVE-2025-29927 – Step-by-Step Guide

CVE-2025-29927 is a critical Next.js vulnerability, dubbed "Next.js Middleware Authorization Bypass," with a CVSS score of 9.1. This flaw allows attackers to bypass authorization checks, granting unauthorized access to protected resources. It significantly impacts Next.js applications relying on middleware for access control.

CVE ID

CVE-2025-29927

Severity

CRITICAL

CVSS Score

9.1/10

Affected

Next.js

What is Next.js Middleware Authorization Bypass?

This Next.js vulnerability arises from improper handling of the `x-middleware-subrequest` header within the application's middleware. Attackers can manipulate this specific header in requests, causing the middleware to incorrectly process or entirely bypass intended authorization logic. This manipulation effectively circumvents access controls, allowing unauthorized access to protected routes.

Affected Versions

Next.js < 15.2.3, < 14.2.25, < 13.5.9, < 12.3.5

Fixed In

Next.js 15.2.3+, 14.2.25+, 13.5.9+, 12.3.5+

Official References

Impact and Risks for your Infrastructure

The primary impact is unauthorized access to sensitive pages and API routes in affected Next.js applications. Attackers can bypass authentication and authorization, potentially leading to data breaches, privilege escalation, and compromise of critical application functionality. This severely impacts business operations, data integrity, and user trust.

nextjsmiddlewareauth-bypasscritical2025

Step-by-Step Mitigation Guide

To mitigate this vulnerability, immediately upgrade your Next.js application to a patched version: 15.2.3+, 14.2.25+, 13.5.9+, or 12.3.5+. Verify the fix by updating your `package.json` and running `npm install` or `yarn install`. Post-upgrade, rigorously re-test your application's authorization flows to confirm the bypass is no longer possible.

1Upgrade Next.js immediately to 15.2.3+, 14.2.25+, 13.5.9+, or 12.3.5+.
2Block x-middleware-subrequest header at CDN/reverse proxy level.
3Move critical authorization checks from middleware into route handlers/server components.
4Audit all middleware.ts files for security-critical authorization logic.
5Deploy Cloudflare WAF rule or equivalent to block the header manipulation.
6Rotate session tokens and audit access logs for potential exploitation.

Frequently Asked Questions

What is the CVSS score for CVE-2025-29927?▼

CVE-2025-29927 has a CVSS score of 9.1/10 (critical severity). This reflects the most severe potential impact, requiring immediate remediation.

Which versions of Next.js are affected?▼

Affected: Next.js < 15.2.3, < 14.2.25, < 13.5.9, < 12.3.5. The vulnerability was fixed in: Next.js 15.2.3+, 14.2.25+, 13.5.9+, 12.3.5+.

How long does it take to fix CVE-2025-29927?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2025-29927 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a critical-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.